| 1 |
Am 2015-07-19 um 00:45 schrieb walt: |
| 2 |
> On Sat, 18 Jul 2015 12:21:39 +0200 |
| 3 |
> "Stefan G. Weichinger" <lists@×××××.at> wrote: |
| 4 |
> |
| 5 |
>> |
| 6 |
>> Does anyone (aside from Diego, as I know from his blog) use Yubico |
| 7 |
>> Yubikeys with Gentoo? |
| 8 |
>> |
| 9 |
>> I am especially interested in getting it to work within Gnome, to |
| 10 |
>> authenticate ssh-sessions (using the smartcard feature of the Yubikey |
| 11 |
>> NEO). |
| 12 |
>> |
| 13 |
>> There are X howtos out there ... telling me to add udev-rules, disable |
| 14 |
>> gnome-keyring, run keychain ... etc etc |
| 15 |
>> |
| 16 |
> |
| 17 |
> What an amazing coincidence. I just listened to a podcast about an hour |
| 18 |
> ago where the process was explained in detail (even mentioning the NEO |
| 19 |
> model and smartcard in particular). Weird. |
| 20 |
> |
| 21 |
> I'm curious to know if this link actually gives you what you asked for: |
| 22 |
> |
| 23 |
> http://www.jupiterbroadcasting.com/85062/ssh-authentication-with-yubikey-las-373/ |
| 24 |
> |
| 25 |
> You can either watch (or listen to) the podcast, or scroll down the page |
| 26 |
> about one-third to see written instructions. (Instructions based on |
| 27 |
> ubuntu, not gentoo, but I'm sure you can translate :) |
| 28 |
|
| 29 |
Thanks. Ok, didn't yet know about that piv-tool, will build it later |
| 30 |
this day and try it. |
| 31 |
|
| 32 |
The instructions there seem to be simply taken from the yubico website: |
| 33 |
|
| 34 |
https://developers.yubico.com/yubico-piv-tool/SSH_with_PIV_and_PKCS11.html |
| 35 |
|
| 36 |
The howto doesn't use gpg-(sub)keys for ssh-auth, so far I followed |
| 37 |
howtos like this: |
| 38 |
|
| 39 |
https://stafwag.github.io/blog/blog/2015/06/16/using-yubikey-neo-as-gpg-smartcard-for-ssh-authentication/ |
| 40 |
|
| 41 |
As I have an existing gpg-keyring I am cautious not to break things. |
| 42 |
So I added subkeys with 2048 bits to make them fit on the SC-part of the |
| 43 |
Neo Yubikey (my main key is 4096 bits long). |
| 44 |
|
| 45 |
This guy |
| 46 |
|
| 47 |
http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ |
| 48 |
|
| 49 |
moves on to a new main key while doing all this ... maybe I should |
| 50 |
consider this as well. |
| 51 |
|
| 52 |
All the howtos out there have in common, that the process of handling |
| 53 |
all the needed parts feels kind of unintuitive and scary. And I always |
| 54 |
wonder if I haven't missed a thing and locked myself out forever ;-) |
| 55 |
|
| 56 |
I had ssh using the (gpg-)subkey from the card already on one machine. |
| 57 |
Somehow it stopped working again and I am not sure what I screwed up. |
| 58 |
|
| 59 |
All this lead me to using keychain ( |
| 60 |
https://wiki.gentoo.org/wiki/Keychain ) ... to control agents for gpg |
| 61 |
and ssh (and cache PINs/passphrases). So I have to disable parts of the |
| 62 |
gnome-keyring (maybe the whole?) to let keychain manage that. |
| 63 |
|
| 64 |
Many moving parts included. |
| 65 |
|
| 66 |
Stefan |
Archives